RE: Funny sort of question re sys password

From oracle-l-bounce@freelists.org Wed Mar 10 07:51:20 2004 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id i2ADpKP08565 for ; Wed, 10 Mar 2004 07:51:20 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id i2ADpKo08557 for ; Wed, 10 Mar 2004 07:51:20 -0600 Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id EBE98394DA7; Wed, 10 Mar 2004 08:46:28 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Wed, 10 Mar 2004 08:45:17 -0500 (EST) X-Original-To: oracle-l@freelists.org Delivered-To: oracle-l@freelists.org Received: from amcuxfw803.amc.af.mil (amcuxfw803.amc.af.mil [131.9.254.187]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id B651B394B4D for ; Wed, 10 Mar 2004 08:45:12 -0500 (EST) Received: from amc.af.mil ([131.9.19.246]) by fw3.amc.af.mil with ESMTP id i2ADo9GH011925 for ; Wed, 10 Mar 2004 07:50:09 -0600 (CST) Received: from ([131.9.25.137]) by amcotav802.amc.af.mil with ESMTP ; Wed, 10 Mar 2004 07:49:28 -0600 (CST) Received: from AMCW2VN801.amc.ds.af.mil ([131.9.19.50]) by amcw2ms874.amc.ds.af.mil with Microsoft SMTPSVC(5.0.2195.6713); Wed, 10 Mar 2004 07:49:27 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C406A6.810679AA" Subject: RE: Funny sort of question re sys password Date: Wed, 10 Mar 2004 07:49:27 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Funny sort of question re sys password Thread-Index: AcQGh75A/K0z5mrdTIeUrn44JBFVVQAHjGkQ From: "Whittle Jerome Contr NCI" To: Cc: X-OriginalArrivalTime: 10 Mar 2004 13:49:27.0537 (UTC) FILETIME=[81363E10:01C406A6] X-archive-position: 303 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: Jerome.Whittle@scott.af.mil Precedence: normal Reply-To: oracle-l@freelists.org X-list: oracle-l ------_=_NextPart_001_01C406A6.810679AA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Tell them that the proof is in the pudding. Challenge them to a $10 bet; = get out a stopwatch; and sit them at a computer. If they succeed, it = will be $10 well spent to expose a security weakness. Otherwise enjoy = the $10 and watching them squirm. Jerry Whittle ASIFICS DBA NCI Information Systems Inc. jerome.whittle@scott.af.mil 618-622-4145 > -----Original Message----- > From: Nuno Souto [SMTP:dbvision@optusnet.com.au] >=20 > Someone at work maintains that it takes them 10 minutes to=20 > break the Oracle SYS password security. >=20 > And the Sun boof-head (a different person and I use the=20 > term loosely...) assures me he's capable of doing so any time=20 > he wants. >=20 > Now, I've been away from this security stuff for a year or so and > I may well be wrong here, but breaking the password security=20 > means cracking the Oracle encryption. While this may be possible, > I can't believe it only takes 10 minutes? >=20 > Wouldn't it rather be a case of social engineering at work? > Or just a plain vanilla "change_on_install" case? >=20 > with the obvious funny consequences> > Cheers > Nuno Souto > nsouto@optusnet.com.au >=20 ------_=_NextPart_001_01C406A6.810679AA Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable RE: Funny sort of question re sys password

Tell them that the proof is in the pudding. Challenge = them to a $10 bet; get out a stopwatch; and sit them at a computer. If = they succeed, it will be $10 well spent to expose a security weakness. = Otherwise enjoy the $10 and watching them squirm.

Jerry Whittle
ASIFICS DBA
NCI Information Systems = Inc.
jerome.whittle@scott.af.mil
618-622-4145

-----Original = Message-----
From: Nuno Souto [SMTP:dbvision@optusnet.com.au]

Someone at work = maintains that it takes them 10 minutes to
break the Oracle = SYS password security.

And the Sun = boof-head (a different person and I use the
term loosely...) = assures me he's capable of doing so any time
he = wants.

Now, I've been = away from this security stuff for a year or so and
I may well be = wrong here, but breaking the password security
means cracking = the Oracle encryption. While this may be possible,
I can't believe = it only takes 10 minutes?

Wouldn't it rather = be a case of social engineering at work?
Or just a plain = vanilla "change_on_install" case?

<says he who = used to change it to "changed",
with the obvious = funny consequences>
Cheers
Nuno = Souto
nsouto@optusnet.com.au

------_=_NextPart_001_01C406A6.810679AA-- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------